← Back to BioTap
BioTapBioTap

Privacy Policy

Introduction

Bio Tap Services Limited (RC 8908487) of 41 Road, B close, Block 4, Festac Town, Lagos herein after referred to as "BioTap".

For the purposes of applicable data protection laws, BioTap acts as the Data Controller in respect of personal data processed through the BioTap platform.

Applicable laws and standards

BioTap processes personal data in accordance with the Nigeria Data Protection Regulation (NDPR), applicable guidance issued by the Nigeria Data Protection Commission, and any successor or replacement legislation. Where applicable, BioTap also implements compliance measures aligned with Central Bank of Nigeria (CBN) regulatory frameworks, licensing requirements, and the Payment Card Industry Data Security Standard (PCI DSS).

Personal data we collect

3.1 Biometric Data (Sensitive Personal Data)

  • A. Fingerprint data captured via BioTap-certified devices or approved mobile scanners.
  • B. Encrypted biometric templates or hashes generated from fingerprint data and used solely for authentication and payment authorisation.
  • C. Raw fingerprint images are not stored after template generation.
  • D. Device identifiers associated with biometric capture for fraud prevention and system integrity.
  • E. Biometric data is processed solely for authentication purposes and is not used for analytics, profiling, marketing, or any secondary purpose

Biometric templates are stored in encrypted form on secure servers and/or secure device enclaves, depending on the deployment architecture.

  • G. Where third-party service providers are engaged in biometric processing, such providers are bound by contractual data protection and confidentiality obligations.
© 2026 Biotap
1

Personal Identification Data (PII)

  • Full name, date of birth, gender, and contact details (email, phone number, address);
  • Government-issued identification numbers such as National Identification Number (NIN) or Bank Verification Number (BVN) for KYC compliance;
  • Profile photographs and identity documents submitted during onboarding or verification.

3.3 Payment & Financial Data

  • Linked bank account details, card information (where applicable), and wallet balances;
  • Transaction history, payment amounts, merchant identifiers, and settlement records;
  • Transaction metadata required for fraud prevention, reconciliation, and regulatory reporting.

3.4 Device & Technical Data

  • Device type, model, operating system, and application version;
  • Device identifiers such as IMEI, UUID, or advertising IDs where permitted;
  • IP address, network information, and technical activity logs.

3.5 User Interaction Data

  • App usage patterns, feature interactions, and session duration;
  • Customer support requests, feedback, and communications with our team;
  • Error logs and diagnostic data used to improve stability and performance.

3.6 Merchant & Partner Data

  • Business name, registration details, and merchant category information;
  • Settlement accounts, transaction volumes, and commercial agreement records;
  • Partner integration data required to deliver payment and identity services.

3.7 Optional / Derived Data

  • Behavioral analytics used to improve user experience where you have consented;
  • Risk scoring and fraud indicators derived from transaction and usage patterns.

4. Security & Privacy Considerations

We collect only data that is necessary for the purposes described in this policy. Where biometric or sensitive data is processed, we obtain explicit consent before collection and apply enhanced security controls throughout the data lifecycle.

© 2026 Biotap
2

5 Lawful Basis for Processing

We rely on one or more of the following lawful bases:

  • Consent — where you have given clear permission, including for biometric processing;
  • Contract Performance — to provide the Services you request;
  • Legal Obligation — to comply with KYC, AML, tax, and financial regulations;
  • Legitimate Interests — to secure our platform, prevent fraud, and improve our Services, balanced against your rights.

6 Why we process personal data

  • To verify your identity and enable biometric authentication;
  • To process payments, transfers, and merchant transactions;
  • To meet KYC, AML, and regulatory compliance requirements;
  • To detect, investigate, and prevent fraud and unauthorized access;
  • To provide customer support and communicate service-related updates.

7 Biometric consent

Biometric data is classified as sensitive personal data. We will not collect or process your biometric information without your explicit, informed consent. You may withdraw consent at any time through the app or by contacting us; withdrawal may limit certain features that depend on biometric authentication.

8 Data retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, including legal, regulatory, and operational requirements. Biometric templates are retained only while your BioTap account remains active unless a longer retention period is required by law.

© 2026 Biotap
3

8.1 Biometric Data (Fingerprint Templates)

A. Data Type

Encrypted biometric templates derived from fingerprint scans. We do not store raw fingerprint images.

B. Retention Period

Retained only while your BioTap account is active and biometric authentication is enabled.

C. Deletion Triggers

  • Account closure or deletion request;
  • Withdrawal of biometric consent;
  • Regulatory or legal requirement to delete.

D. Post-Deletion

Biometric templates are permanently deleted within 60 days of a valid deletion trigger, unless law requires longer retention.

E. Safeguards

Templates are encrypted at rest and in transit. Access is restricted to authorized systems and personnel on a need-to-know basis.

8.2 Transaction Logs and Payment Records

A. Data Type

Transaction history, payment logs, settlement records, and associated metadata.

B. Retention Period

Retained for a minimum of seven (7) years to comply with financial regulations, tax laws, and anti-money laundering (AML) requirements.

© 2026 Biotap
4

C. Purpose of Retention

To support audits, dispute resolution, regulatory examinations, and lawful requests from competent authorities.

8.3 Legal Hold and Extended Retention

Where litigation, investigation, or regulatory inquiry requires it, we may retain relevant data beyond standard retention periods until the matter is resolved or we are legally permitted to delete it.

9 Data storage and cross border transfers

Your data may be stored and processed in Nigeria and, where necessary, in other countries where our service providers operate. When data is transferred across borders, we implement appropriate safeguards such as contractual clauses and security controls consistent with applicable law.

10 Security measures

We implement administrative, technical, and physical safeguards including encryption, access controls, multi-factor authentication for internal systems, regular security assessments, and employee training. While we strive to protect your data, no system is completely secure.

11 Data sharing and disclosure

We do not sell your personal data. We may share information with payment processors, banks, identity verification partners, cloud infrastructure providers, and regulators where necessary to deliver the Services or comply with law, subject to confidentiality and data protection obligations.

© 2026 Biotap
5

12 Automated Processing and Profiling

BioTap may use automated systems for fraud detection, risk scoring, and transaction monitoring. These processes help protect you and other users. You may contact us to request information about automated decisions that significantly affect you, where applicable under law.

13 Your rights

Subject to applicable law, you may have the right to:

  • Access the personal data we hold about you;
  • Request correction of inaccurate or incomplete data;
  • Request deletion of your data where legally permitted;
  • Object to or restrict certain processing activities;
  • Lodge a complaint with the Nigeria Data Protection Commission (NDPC) or relevant supervisory authority.

14 Children's Data

BioTap Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us and we will take steps to delete it promptly.

15 Contact

For privacy enquiries, data subject requests, or complaints:

Email: privacy@biotapapp.com
General contact: Contact@biotapapp.com

BioTap has designated a Data Protection Officer to oversee compliance with this policy. You may reach our DPO through the email addresses above.